Find notable cyber news and cases, enriched with sources, timelines, and signals.

Visual Studio Code-delivered JavaScript backdoor

Malware Activity
First reported
Last updated
Happening score
H score 29
1 unique sources, 2 articles

Summary

Hide ▲

North Korean threat actors are using malicious Next.js repositories in a fake job-recruitment campaign to trigger remote code execution (RCE) on developer systems and establish persistent command-and-control (C2). Microsoft says the repositories are disguised as technical assessment materials and use multiple execution paths, including Visual Studio Code workspace automation and Node.js-based loader behavior, to fetch and run attacker-controlled JavaScript. The activity is intended to reach source code, environment secrets, and build or cloud resources on infected machines.

Related Happenings

Codfish/semantic-release-action hit by network compromise

Incident
H score21 First: 26.06.2026 14:05 Last: 26.06.2026 14:05 Sources 1

About this happening: The **codfish/semantic-release-action** GitHub Action was hit by a **malicious commit force-push** and **tag redirection** that caused trusted workflows to run attacker code. The...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Contagious Interview UNK_DeadDrop GitHub phishing campaign

Campaign
H score37 First: 15.06.2026 22:32 Last: 15.06.2026 22:32 Sources 1

About this happening: The **Contagious Interview** cluster is running the **UNK_DeadDrop** phishing campaign to lure developers with **recruitment** and **code review** themes, reaching **nearly 100 or...

UNK_DeadDrop developer phishing campaign using fake job and code-review lures

Campaign
H score30 First: 08.06.2026 18:00 Last: 08.06.2026 18:00 Sources 1

About this happening: A **UNK_DeadDrop** phishing campaign sent **more than 250 emails** to software developers at **almost 100 organizations**, using fake job and code-review lures to steal **cryptocu...

Visual Studio Code VS Code token-theft zero-day security flaw

Vulnerability
H score44 First: 03.06.2026 09:50 Last: 03.06.2026 09:50 Sources 1

About this happening: A **Visual Studio Code (VS Code) zero-day** lets attackers steal **GitHub OAuth tokens** by abusing the editor's **sandboxed webview message-passing system**. The flaw is especial...

Latest development: 03.06.2026 15:58

Microsoft has acknowledged a Visual Studio Code vulnerability that can let an attacker use a crafted link and malicious webview message-passing to steal a victim's GitHub OAuth token via GitHub.dev, and said it is working on a fix; Microsoft also said the issue does not affect VS Code Desktop.

Timeline

  1. 22.01.2026 00:00 3 articles · 5mo ago

    Contagious Interview adds VS Code backdoor delivery

    Initial Disclosure

    Jamf Threat Labs disclosed that North Korean threat actors behind the Contagious Interview campaign are using a new Visual Studio Code delivery path that lures software developers to open malicious GitHub or GitLab repositories, prompts them to trust the repository author, and then executes a malicious configuration file that can run arbitrary commands and drop a previously unseen JavaScript backdoor via Node.js on macOS systems.

    Show sources